+#define EVENT_TRACE_TYPE_INFO 0x00
+#define EVENT_TRACE_TYPE_START 0x01
+#define EVENT_TRACE_TYPE_END 0x02
+#define EVENT_TRACE_TYPE_STOP 0x02
+#define EVENT_TRACE_TYPE_DC_START 0x03
+#define EVENT_TRACE_TYPE_DC_END 0x04
+#define EVENT_TRACE_TYPE_EXTENSION 0x05
+#define EVENT_TRACE_TYPE_REPLY 0x06
+#define EVENT_TRACE_TYPE_DEQUEUE 0x07
+#define EVENT_TRACE_TYPE_RESUME 0x07
+#define EVENT_TRACE_TYPE_CHECKPOINT 0x08
+#define EVENT_TRACE_TYPE_SUSPEND 0x08
+#define EVENT_TRACE_TYPE_WINEVT_SEND 0x09
+#define EVENT_TRACE_TYPE_WINEVT_RECEIVE 0XF0
+
+#define TRACE_LEVEL_NONE 0
+#define TRACE_LEVEL_CRITICAL 1
+#define TRACE_LEVEL_FATAL 1
+#define TRACE_LEVEL_ERROR 2
+#define TRACE_LEVEL_WARNING 3
+#define TRACE_LEVEL_INFORMATION 4
+#define TRACE_LEVEL_VERBOSE 5
+#define TRACE_LEVEL_RESERVED6 6
+#define TRACE_LEVEL_RESERVED7 7
+#define TRACE_LEVEL_RESERVED8 8
+#define TRACE_LEVEL_RESERVED9 9
+
+#define EVENT_TRACE_TYPE_LOAD 0x0A
+
+#define EVENT_TRACE_TYPE_IO_READ 0x0A
+#define EVENT_TRACE_TYPE_IO_WRITE 0x0B
+#define EVENT_TRACE_TYPE_IO_READ_INIT 0x0C
+#define EVENT_TRACE_TYPE_IO_WRITE_INIT 0x0D
+#define EVENT_TRACE_TYPE_IO_FLUSH 0x0E
+#define EVENT_TRACE_TYPE_IO_FLUSH_INIT 0x0F
+
+#define EVENT_TRACE_TYPE_MM_TF 0x0A
+#define EVENT_TRACE_TYPE_MM_DZF 0x0B
+#define EVENT_TRACE_TYPE_MM_COW 0x0C
+#define EVENT_TRACE_TYPE_MM_GPF 0x0D
+#define EVENT_TRACE_TYPE_MM_HPF 0x0E
+#define EVENT_TRACE_TYPE_MM_AV 0x0F
+
+#define EVENT_TRACE_TYPE_SEND 0x0A
+#define EVENT_TRACE_TYPE_RECEIVE 0x0B
+#define EVENT_TRACE_TYPE_CONNECT 0x0C
+#define EVENT_TRACE_TYPE_DISCONNECT 0x0D
+#define EVENT_TRACE_TYPE_RETRANSMIT 0x0E
+#define EVENT_TRACE_TYPE_ACCEPT 0x0F
+#define EVENT_TRACE_TYPE_RECONNECT 0x10
+#define EVENT_TRACE_TYPE_CONNFAIL 0x11
+#define EVENT_TRACE_TYPE_COPY_TCP 0x12
+#define EVENT_TRACE_TYPE_COPY_ARP 0x13
+#define EVENT_TRACE_TYPE_ACKFULL 0x14
+#define EVENT_TRACE_TYPE_ACKPART 0x15
+#define EVENT_TRACE_TYPE_ACKDUP 0x16
+
+#define EVENT_TRACE_TYPE_GUIDMAP 0x0A
+#define EVENT_TRACE_TYPE_CONFIG 0x0B
+#define EVENT_TRACE_TYPE_SIDINFO 0x0C
+#define EVENT_TRACE_TYPE_SECURITY 0x0D
+
+#define EVENT_TRACE_TYPE_REGCREATE 0x0A
+#define EVENT_TRACE_TYPE_REGOPEN 0x0B
+#define EVENT_TRACE_TYPE_REGDELETE 0x0C
+#define EVENT_TRACE_TYPE_REGQUERY 0x0D
+#define EVENT_TRACE_TYPE_REGSETVALUE 0x0E
+#define EVENT_TRACE_TYPE_REGDELETEVALUE 0x0F
+#define EVENT_TRACE_TYPE_REGQUERYVALUE 0x10
+#define EVENT_TRACE_TYPE_REGENUMERATEKEY 0x11
+#define EVENT_TRACE_TYPE_REGENUMERATEVALUEKEY 0x12
+#define EVENT_TRACE_TYPE_REGQUERYMULTIPLEVALUE 0x13
+#define EVENT_TRACE_TYPE_REGSETINFORMATION 0x14
+#define EVENT_TRACE_TYPE_REGFLUSH 0x15
+#define EVENT_TRACE_TYPE_REGKCBCREATE 0x16
+#define EVENT_TRACE_TYPE_REGKCBDELETE 0x17
+#define EVENT_TRACE_TYPE_REGKCBRUNDOWNBEGIN 0x18
+#define EVENT_TRACE_TYPE_REGKCBRUNDOWNEND 0x19
+#define EVENT_TRACE_TYPE_REGVIRTUALIZE 0x1A
+#define EVENT_TRACE_TYPE_REGCLOSE 0x1B
+#define EVENT_TRACE_TYPE_REGSETSECURITY 0x1C
+#define EVENT_TRACE_TYPE_REGQUERYSECURITY 0x1D
+#define EVENT_TRACE_TYPE_REGCOMMIT 0x1E
+#define EVENT_TRACE_TYPE_REGPREPARE 0x1F
+#define EVENT_TRACE_TYPE_REGROLLBACK 0x20
+#define EVENT_TRACE_TYPE_REGMOUNTHIVE 0x21
+
+#define EVENT_TRACE_TYPE_CONFIG_CPU 0x0A
+#define EVENT_TRACE_TYPE_CONFIG_PHYSICALDISK 0x0B
+#define EVENT_TRACE_TYPE_CONFIG_LOGICALDISK 0x0C
+#define EVENT_TRACE_TYPE_CONFIG_NIC 0x0D
+#define EVENT_TRACE_TYPE_CONFIG_VIDEO 0x0E
+#define EVENT_TRACE_TYPE_CONFIG_SERVICES 0x0F
+#define EVENT_TRACE_TYPE_CONFIG_POWER 0x10
+#define EVENT_TRACE_TYPE_CONFIG_NETINFO 0x11
+
+#define EVENT_TRACE_TYPE_CONFIG_IRQ 0x15
+#define EVENT_TRACE_TYPE_CONFIG_PNP 0x16
+#define EVENT_TRACE_TYPE_CONFIG_IDECHANNEL 0x17
+#define EVENT_TRACE_TYPE_CONFIG_PLATFORM 0x19
+
+#define EVENT_TRACE_FLAG_PROCESS 0x00000001
+#define EVENT_TRACE_FLAG_THREAD 0x00000002
+#define EVENT_TRACE_FLAG_IMAGE_LOAD 0x00000004
+
+#define EVENT_TRACE_FLAG_DISK_IO 0x00000100
+#define EVENT_TRACE_FLAG_DISK_FILE_IO 0x00000200
+
+#define EVENT_TRACE_FLAG_MEMORY_PAGE_FAULTS 0x00001000
+#define EVENT_TRACE_FLAG_MEMORY_HARD_FAULTS 0x00002000
+
+#define EVENT_TRACE_FLAG_NETWORK_TCPIP 0x00010000
+
+#define EVENT_TRACE_FLAG_REGISTRY 0x00020000
+#define EVENT_TRACE_FLAG_DBGPRINT 0x00040000
+
+#define EVENT_TRACE_FLAG_PROCESS_COUNTERS 0x00000008
+#define EVENT_TRACE_FLAG_CSWITCH 0x00000010
+#define EVENT_TRACE_FLAG_DPC 0x00000020
+#define EVENT_TRACE_FLAG_INTERRUPT 0x00000040
+#define EVENT_TRACE_FLAG_SYSTEMCALL 0x00000080
+
+#define EVENT_TRACE_FLAG_DISK_IO_INIT 0x00000400
+
+#define EVENT_TRACE_FLAG_ALPC 0x00100000
+#define EVENT_TRACE_FLAG_SPLIT_IO 0x00200000
+
+#define EVENT_TRACE_FLAG_DRIVER 0x00800000
+#define EVENT_TRACE_FLAG_PROFILE 0x01000000
+#define EVENT_TRACE_FLAG_FILE_IO 0x02000000
+#define EVENT_TRACE_FLAG_FILE_IO_INIT 0x04000000
+
+#define EVENT_TRACE_FLAG_DISPATCHER 0x00000800
+#define EVENT_TRACE_FLAG_VIRTUAL_ALLOC 0x00004000
+
+#define EVENT_TRACE_FLAG_EXTENSION 0x80000000
+#define EVENT_TRACE_FLAG_FORWARD_WMI 0x40000000
+#define EVENT_TRACE_FLAG_ENABLE_RESERVE 0x20000000
+
+#define EVENT_TRACE_FILE_MODE_NONE 0x00000000
+#define EVENT_TRACE_FILE_MODE_SEQUENTIAL 0x00000001
+#define EVENT_TRACE_FILE_MODE_CIRCULAR 0x00000002
+#define EVENT_TRACE_FILE_MODE_APPEND 0x00000004
+
+#define EVENT_TRACE_REAL_TIME_MODE 0x00000100
+#define EVENT_TRACE_DELAY_OPEN_FILE_MODE 0x00000200
+#define EVENT_TRACE_BUFFERING_MODE 0x00000400
+#define EVENT_TRACE_PRIVATE_LOGGER_MODE 0x00000800
+#define EVENT_TRACE_ADD_HEADER_MODE 0x00001000
+
+#define EVENT_TRACE_USE_GLOBAL_SEQUENCE 0x00004000
+#define EVENT_TRACE_USE_LOCAL_SEQUENCE 0x00008000
+
+#define EVENT_TRACE_RELOG_MODE 0x00010000
+
+#define EVENT_TRACE_USE_PAGED_MEMORY 0x01000000
+
+#define EVENT_TRACE_FILE_MODE_NEWFILE 0x00000008
+#define EVENT_TRACE_FILE_MODE_PREALLOCATE 0x00000020
+
+#define EVENT_TRACE_NONSTOPPABLE_MODE 0x00000040
+#define EVENT_TRACE_SECURE_MODE 0x00000080
+#define EVENT_TRACE_USE_KBYTES_FOR_SIZE 0x00002000
+#define EVENT_TRACE_PRIVATE_IN_PROC 0x00020000
+#define EVENT_TRACE_MODE_RESERVED 0x00100000
+
+#define EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING 0x10000000
+
+#define EVENT_TRACE_CONTROL_QUERY 0
+#define EVENT_TRACE_CONTROL_STOP 1
+#define EVENT_TRACE_CONTROL_UPDATE 2
+
+#define EVENT_TRACE_CONTROL_FLUSH 3
+
+#define TRACE_MESSAGE_SEQUENCE 1
+#define TRACE_MESSAGE_GUID 2
+#define TRACE_MESSAGE_COMPONENTID 4
+#define TRACE_MESSAGE_TIMESTAMP 8
+#define TRACE_MESSAGE_PERFORMANCE_TIMESTAMP 16
+#define TRACE_MESSAGE_SYSTEMINFO 32
+
+#define TRACE_MESSAGE_POINTER32 0x0040
+#define TRACE_MESSAGE_POINTER64 0x0080
+
+#define TRACE_MESSAGE_FLAG_MASK 0xFFFF
+
+#define TRACE_MESSAGE_MAXIMUM_SIZE 8*1024
+
+#define EVENT_TRACE_USE_PROCTIME 0x0001
+#define EVENT_TRACE_USE_NOCPUTIME 0x0002
+
+#define TRACE_HEADER_FLAG_USE_TIMESTAMP 0x00000200
+#define TRACE_HEADER_FLAG_TRACED_GUID 0x00020000
+#define TRACE_HEADER_FLAG_LOG_WNODE 0x00040000
+#define TRACE_HEADER_FLAG_USE_GUID_PTR 0x00080000
+#define TRACE_HEADER_FLAG_USE_MOF_PTR 0x00100000
+
+#define ETW_NULL_TYPE_VALUE 0
+#define ETW_OBJECT_TYPE_VALUE 1
+#define ETW_STRING_TYPE_VALUE 2
+#define ETW_SBYTE_TYPE_VALUE 3
+#define ETW_BYTE_TYPE_VALUE 4
+#define ETW_INT16_TYPE_VALUE 5
+#define ETW_UINT16_TYPE_VALUE 6
+#define ETW_INT32_TYPE_VALUE 7
+#define ETW_UINT32_TYPE_VALUE 8
+#define ETW_INT64_TYPE_VALUE 9
+#define ETW_UINT64_TYPE_VALUE 10
+#define ETW_CHAR_TYPE_VALUE 11
+#define ETW_SINGLE_TYPE_VALUE 12
+#define ETW_DOUBLE_TYPE_VALUE 13
+#define ETW_BOOLEAN_TYPE_VALUE 14
+#define ETW_DECIMAL_TYPE_VALUE 15
+
+#define ETW_GUID_TYPE_VALUE 101
+#define ETW_ASCIICHAR_TYPE_VALUE 102
+#define ETW_ASCIISTRING_TYPE_VALUE 103
+#define ETW_COUNTED_STRING_TYPE_VALUE 104
+#define ETW_POINTER_TYPE_VALUE 105
+#define ETW_SIZET_TYPE_VALUE 106
+#define ETW_HIDDEN_TYPE_VALUE 107
+#define ETW_BOOL_TYPE_VALUE 108
+#define ETW_COUNTED_ANSISTRING_TYPE_VALUE 109
+#define ETW_REVERSED_COUNTED_STRING_TYPE_VALUE 110
+#define ETW_REVERSED_COUNTED_ANSISTRING_TYPE_VALUE 111
+#define ETW_NON_NULL_TERMINATED_STRING_TYPE_VALUE 112
+#define ETW_REDUCED_ANSISTRING_TYPE_VALUE 113
+#define ETW_REDUCED_STRING_TYPE_VALUE 114
+#define ETW_SID_TYPE_VALUE 115
+#define ETW_VARIANT_TYPE_VALUE 116
+#define ETW_PTVECTOR_TYPE_VALUE 117
+#define ETW_WMITIME_TYPE_VALUE 118
+#define ETW_DATETIME_TYPE_VALUE 119
+#define ETW_REFRENCE_TYPE_VALUE 120
+
+#define TRACE_PROVIDER_FLAG_LEGACY 0x00000001
+#define TRACE_PROVIDER_FLAG_PRE_ENABLE 0x00000002
+
+#define EVENT_CONTROL_CODE_DISABLE_PROVIDER 0
+#define EVENT_CONTROL_CODE_ENABLE_PROVIDER 1
+#define EVENT_CONTROL_CODE_CAPTURE_STATE 2
+
+#define DEFINE_TRACE_MOF_FIELD(MOF, ptr, length, type) \
+ (MOF)->DataPtr = (ULONG64)(ULONG_PTR) ptr; \
+ (MOF)->Length = (ULONG) length; \
+ (MOF)->DataType = (ULONG) type;
+
+typedef struct _EVENT_TRACE_HEADER {
+ USHORT Size;
+ _ANONYMOUS_UNION union {
+ USHORT FieldTypeFlags;
+ _ANONYMOUS_STRUCT struct {
+ UCHAR HeaderType;
+ UCHAR MarkerFlags;
+ } DUMMYSTRUCTNAME;
+ } DUMMYUNIONNAME;
+ _ANONYMOUS_UNION union {
+ ULONG Version;